Root Causes 477: Comparative Security Philosophies

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  I think in prep for this, you prepared something, and it sounds like a lot of fun, where you looked at the comparative security philosophies of various technology providers.

• 

  Jason Soroko

  It’s meant to be fun. This is not an indictment. It's not even a these guys are better than others. It's just a let's make a comparison of the underlying thinking of some of these organizations. I want to land on Microsoft. There's the punch line that I'm going to give you ahead of time. If you don't mind, yes, I do have notes that I want to look.

  So let's start with Apple. It's got the walled garden. That's what kind of characterizes Apple. It's funny how I can be across my phone, my tablet, my MacBook, and my God, it's just seamless. Emphasis on user experience, and it's good, really good in that way. There's always a downside to something, and that is, well, I do not have the kind of freedom on an Apple device that I do - especially if it's not jail broken. If it’s straight up vanilla iOS, then, like, I can't write something that will go into the Apple App Store that will redirect SMS messages as an example. You could do that in Google, Android, all day long, but, and with Apple, no. The other thing is, like, things about like, when you download from the App Store, they do an awful lot of scrutiny and don't rely on things like a manifest. In other words, Apple has done a really nice job of saying, well, this app is going to ask for your camera rights, but you can choose. That's something that both iOS and Android now have in modern times. But the bottom line is, Apple makes a lot of their own decisions about what can and can’t happen.

• 

  Tim Callan

  Apple is about control. Apple is about their way. If you get on this Apple train, you're going to do it their way. If you want to do it a different way, sorry. This is our train.

• 

  Jason Soroko

  That’s right. So for some people, it's going to work well. For some people, not going to work at all. So, Android, Google, I'm going to say, instead of the wall garden, it's kind of like openness. User choice. You can look at the manifest and make a decision about whether or not you want to download that and run it. Flexibility. You can do SMS redirection. I've programmed that myself, it took three lines of code. Amazing. That's powerful. I can see how for some people, that is just like, that's just catnip to a certain kind of person to have that much flexibility and openness. Let's face it, though, it doesn't necessarily mean that there's a guaranteed risk of malware, because if you’re very careful with your Android device, you can avoid that. But my goodness, do they ever give you a lot of rope to hang yourself.

• 

  Tim Callan

  Absolutely. That’s exactly right. It takes that responsibility for security and puts it very firmly on the user. But it's also much more, choose your own adventure. It's the other side of this, which is, you do have a lot more power and control over your experience.

• 

  Jason Soroko

  Absolutely. Therefore, I am not going to sit here and say one's better than the other. What I am definitely going to say is that's why we're having this podcast, so that you know the difference.

  Linux. Let's talk about Linux. It's everywhere. It's on desktops. It's on servers. It's in IoT devices and various distributions of it can make it sing and dance and do all kinds of things. Well, from a security standpoint, straight up vanilla versions of Linux are typically, like talk about choose your own adventure. That takes it to the absolute max. So not surprising that Android itself is a Linux-based fork, if you will. Linux itself is all about user autonomy. Therefore, the amazing thing about Linux is the transparency. Like the ability to enumerate, hey, what has credentials and rights to certain files? Like, my goodness, Linux has that in depth and in spades, and in fact, it can be overwhelming unless you're well trained in Linux to fully understand its security capabilities. Absolutely amazing. But this user autonomy comes with this such a rich customization environment that that's perhaps its strength and its weakness in that unless you really know what you're doing, you could probably never configure it right. If you do know what you're doing, you can probably configure that thing so tight it's truly, truly walled off from the world and super secure. It's hard to do, though. Like it takes work. Takes training, takes know how. So what I would say that it's not about, oh, well, the risk of malware, the risk of the freedom limiting. It's the opposite of all those things. I would say that the risk of misconfiguration is a big problem in general Linux distributions.

  Let's talk about something that's not necessarily an operating system, but I bet you to the average person it kind of acts like an operating system, and that's everything Meta does. It’s like Meta as a whole.

• 

  Tim Callan

  I’m almost trying to imagine, where are we going next? Where are we going next? Meta. Let’s go.

• 

  Jason Soroko

  Trust me, this could be a 14-hour podcast. I'm sure I've now made everybody in the world angry. I like doing that. So, Meta Security as a Service, they make it invisible. I will tell you that the centralization of how they do their security across their platform plays is really something else, because you can be in Facebook, you can be in what is it? WhatsApp. You can be in Instagram. A lot of people don't even know that's all Meta. There's a lot of people who don't even care. But it all works together. You have one ID. It's centralized, and any of the machinations of how your security is completely invisible to you. Meta. Red Hat. So now we're getting into a specific - -

• 

  Tim Callan

  Yes. One flavor of Linux.

• 

  Jason Soroko

  A very specific flavor of Linux, and so the predictability of the security is, I think, what's important to note about Red Hat, and you're talking about enterprise grade security, where you don't have to completely depend on a sys admin who just knows every configuration that needs to be done, because a lot of the tools are now provided for you as part of the enterprise grade solution. However, just like Apple in a sense, it starts to chip away at your ability to adapt.

• 

  Tim Callan

  But this is a deliberate trade off. Because what you're saying when you look at Red Hat, you're like, look, my mission is not to give the most genius rocket scientist in the room the tool they can use to invent anything. My mission is to give the IT department something reliable and trustworthy that's going to get them to home plate every day.

• 

  Jason Soroko

  If you're a CIO, you're a CISO, you're like, oh, you go get you go get me some Red Hat. Because I want some assurance. I want some predictability.

• 

  Tim Callan

  Decisions are made, those are two different forks, if you will. Two different sets of goals and objectives you're trying to have and the decisions are made to match that goal.

• 

  Jason Soroko

  100%. It has a place in the market, and they're successful doing it - good on them. All right. So, Microsoft. I've got some comments that I'm going to make afterwards, but Tim, give me your version.

• 

  Tim Callan

  In a way, Microsoft has a hard job because they have so much. They've got Xbox and Windows and Office and keyboards and LinkedIn.

• 

  Jason Soroko

  30 year old computers and 20 year old computers and 10 year old computers. And Surface tablets.

• 

  Tim Callan

  Desktops and Surface tablets. Absolutely. Microsoft has grown up. They were the open to Apple’s closed. That's built into their DNA in a pretty basic way. It's hard to get around. If you look at just the application market, and the whole idea, whole philosophy going all the way back to the 80s of we're gonna let everybody write applications. It will be better because there'll be more applications. Which worked for them. But I think the jeopardy that comes with that openness has increased from 1987 to today in a major way, which presents a bit of a challenge if you're Microsoft. Then some of these other businesses, and they're in there and very important, like Xbox. Like, you probably don't want that to just be let anyone do any damn thing you want. You probably do want to try to have a little control around that. So when you put all of that together, I'm gonna say - I don't know if this is where going with this - Microsoft has warring criteria. It's schizophrenic. There are different voices inside of that company that want to steer it in different directions and reconciling those is probably hard. It's probably very negotiated, very situational, and probably not terribly consistent.

• 

  Jason Soroko

  100% Tim. So, let's give it the words. Like nobody does that like Microsoft. Not even close. I would say that the biggest benefit you get is enterprise scalability. Like you can run gigantic enterprises off of that thing with old computers, new computers. Every printer ever made. Amazing. But the attack surface is something else.

  Here's where I want to land. Thank you for that. That was really, really good. I want to land on this, this idea, and it's going to come from my notes.

  So because of that gigantic attack service, Microsoft has to draw some lines somewhere about what it will protect, what it will write a patch for, what it will immediately remediate. In fact, they do have a page where they define exactly what they will and will not do. A lot of people don't know about this page. This is one of the few podcasts where we're actually make little bit of show notes, and I'll provide that link. It's worth reading. Really what prompted this particular podcast was a recent White Hat research where a White Hat researcher who was successful in causing a Windows update that would cause a downgrade attack. In other words, some form of security was downgraded, and therefore an attack was possible. It required a colonel level attack. Now, Microsoft did not patch this or remediate it in fast action. And part of the reasoning was, well, it does not cross a service boundary. That's their words.

• 

  Tim Callan

  What does that mean?

• 

  Jason Soroko

  It means this. UAP warnings. This attack, it popped UAP warnings. But you can imagine that a lot of users can be socially engineered to just ignore a UAP warning. Microsoft said, well, if (a) if the UAP warning, which is a security boundary, was crossed. In other words, if your attack could stop UAP from showing up on the screen, well, that's a bug. We got to go fix it. That's a security boundary. Well, no. The attack did not achieve that. It did pop up a UAP message. So, you're not crossing a security boundary. The other security boundary, which was not a security boundary that was crossed, but was part of the attack, was basically colonel level privileges were required for this attack. What Microsoft said was, if you've got colonel level privileges, it's not a bug in Windows. You're hosed so bad, and I'm really paraphrasing here, if your hosed that bad, there's nothing we can do.

• 

  Tim Callan

  I think there's a point to that.

• 

  Jason Soroko

  There is a point to it. As I said, this is not me bashing Microsoft. Microsoft has to draw the line somewhere, and they do. The mistake people are making and the reason why this is a podcast, is because I feel too many people who are operating Microsoft stack think that Microsoft has got your back in every scenario and every case.

• 

  Tim Callan

  So, they think that Microsoft's philosophy is Apple's philosophy, and it isn’t.

• 

  Jason Soroko

  It’s not. It can’t be. So if you're running Microsoft stack, educate yourself on what Microsoft defines as a security boundary and the things, common types of attacks, common attacks, where if the bad guy has hosed you bad enough, and you assume Microsoft's gonna - oh, they'll have to patch that, or there's got to be remediation. No, there isn't. There won't be. There probably won't be. Look, Pass-the-Hash has been around forever. Microsoft just announced after how many years at the most recent Microsoft Ignite event, just in time administrative credentials could be created out of a secure element. Hallelujah. Because Pass-the-Hash was all about, well again, same philosophy, a security boundary that hasn’t been crossed, because if your machine's that hosed, what's Microsoft to do? But what Microsoft has done is said, okay, we're going to create a new security boundary, which is if somebody compromises that account and somehow magically, they break into that enclave and or that very, very privileged account is created, well, that crosses a security boundary. We will go fix that. And hallelujah. Microsoft now has that as part of their system. So it's not like, I'm not saying Microsoft will not eventually deal with these long term types of attacks and the fact that not everything crosses a security boundary that you might want it to. Microsoft will eventually probably look at everything. They're people just like us, but they had to draw the line somewhere. But you guys often make the mistake in conversation where you trust Microsoft a little too much.

  You trust a completely wide open system. A system that was designed to be wide open. And you think it's Fort Knox, and you're making an error. That’s it.